June 17, 2026
Posted by Suresh Sathyamurthy
The latest Gartner research points to a future built on workload access management, secretless architectures, and governance across the multi-vault reality most enterprises already run.
For most of the last decade, the dominant secrets management strategy was simple: pick a vault, migrate everything to it, and call the project complete. That approach made sense at the time with workloads growing and credentials scattered across the enterprise. Centralizing secrets into a secure vault reduced risk and improved control.
However, it didn’t solve the underlying issues.
Industry experts have been warning about this for years. Gartner’s latest research, Innovation Insights: Secrets Management report raises the urgency.
Workloads include applications, containers, pipelines, automation scripts, and, increasingly, AI agents. Each of them needs to authenticate, often using API keys, tokens, certificates, or other credentials. Organizations are struggling to keep up:
- Secrets continue to proliferate
- Teams bypass official tools and manage credentials on their own
- Confusion between secrets and identities creates gaps in control
- Multiple vaults are already in use across clouds and platforms
The report makes clear that secrets management needs to evolve beyond vaulting and rotation alone. The future Gartner describes is built on workload access management, secretless approaches, short-lived credentials, and governance across the multiple vaults most enterprises already run.
Three themes stand out.
1. Static Credentials Are the Problem to Reduce, Not Just Rotate
Gartner is unusually direct here, declaring, “Avoid using static credentials!”
Many teams still treat rotation as the end goal: rotate the API key, rotate the password, rotate the token. But rotation does not change the underlying model. The workload still depends on a reusable secret. If that secret leaks, the attacker has something to use.
The stronger pattern is secretless access, or at least secret-reduced access. Instead of handing a workload a long-lived credential, authenticate the workload using something it already has: a cloud identity, Kubernetes identity, OIDC token, certificate, or other trusted platform identity. Then mint a short-lived credential only when needed.
That changes the model entirely. Instead of distributing and rotating credentials, organizations can authenticate workloads through trusted identities and issue access dynamically.
This is where workload access management becomes more than a new label. It is a practical answer to a real engineering problem: how does a workload prove who it is and get access without carrying a secret around like a spare house key?
2. Every Secrets Manager Has an Identity Problem Underneath It
One of the most useful visuals in the report is Gartner’s Figure 2, which shows a typical interaction between applications and secrets managers.
At first glance, it looks like a standard vault workflow. Code authenticates to the secrets manager, the secrets manager applies access control, and the application fetches what it needs.
But consider step one. Before a workload can retrieve a secret, it has to authenticate to the secrets manager. Gartner shows several ways this might happen, including managed cloud identity, local attestation, directory credentials, and certificates. Some of those authentication methods come with a warning: they must be protected.
That is the crux of the issue. Secrets management does not eliminate identity, it depends on it. So the real question is not only, “Where do we store the secret?” It’s, “How does this workload prove it should get access in the first place?”
Akeyless was built around that question. It can mint Just-in-Time credentials from a workload’s native platform identity, so access is issued at runtime rather than stored in code, pipelines, or configuration. This is the difference between managing more secrets and reducing the need for secrets in the first place.
3. The Single-Vault Strategy Does Not Match Enterprise Reality
For a long time, the accepted architectural answer was consolidating every team, cloud, and application onto your chosen vault solution.
That strategy almost never survives contact with the real world. Cloud teams want native services. Platform teams have existing pipelines. Some workloads need regional separation. Some teams already rely on AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault, Kubernetes secrets, or tools embedded into AI platforms.
Gartner acknowledges these facts on ground, stating plainly, “Manage secrets in multiple vaults instead of standardizing on one secrets vault product.”
This shifts the strategy from how to force every secret into one vault, to how to govern every vault you already run. That challenge is often harder than it sounds. Even when strong tools are in place, they are frequently bypassed. Developers store credentials in code or configuration files to move faster. Teams build their own workflows outside of central control. The result is not just vault sprawl, it’s process sprawl.
That is where multi-vault governance becomes critical. Security teams need centralized visibility, consistent policy enforcement, lifecycle control, and auditability across decentralized vaults without forcing a migration project that teams will resist or route around.
Why Gartner Named Akeyless in Two Categories
Two of the strongest recommendations in the report are closely connected. Organizations need a path away from static credentials, and they need a way to govern the multi-vault reality they already operate. Gartner highlights Akeyless as the solution in categories that address both challenges: Workload Access Management and Governing Across Vaults through orchestration or synchronization capabilities.
Together, these categories reflect the broader direction Gartner outlines throughout the report: fewer static secrets, more identity-based access, and centralized governance across increasingly fragmented environments.
The table below maps some of the report’s key recommendations to the capabilities organizations need to put them into practice.
| Gartner Direction | What It Means for Security Teams | How Akeyless Helps |
|---|---|---|
| Avoid static credentials | Stop giving workloads long-lived secrets by default | Secretless authentication and short-lived credentials issued at runtime |
| Adopt workload access management | Let workloads prove identity before receiving access | Workload identity federation using native cloud, Kubernetes, OIDC, and other identity sources |
| Govern multiple vaults | Manage the vaults teams already use | Universal Secrets Connector and Multi-Vault Governance across AWS, Azure, GCP, HashiCorp Vault, Kubernetes, and more |
| Centralize policy and audit | Enforce consistency without forcing every team onto one tool | Unified RBAC/ABAC, lifecycle controls, rotation workflows, and audit trails |
| Prepare for AI agents | Control credentials used by autonomous systems | SecretlessAI, Agentic Runtime Authority, and Agentic Identity Intelligence |
Akeyless does not require organizations to choose between modernization and reality. Modern workloads can move toward secretless, identity-based access. Legacy systems remain protected with centralized vaulting, rotation, just-in-time delivery, and audit controls.
The Shift From Secrets to Identity
Gartner points out: “The real battle isn’t ‘secretless versus not,’ it’s who owns the control plane for workload identities.”
Secrets management is not going away but the job is changing. Vaults still matter, especially for legacy credentials and systems that cannot yet support modern identity patterns. But the direction is clear: fewer static secrets, more runtime identity, and centralized governance across fragmented environments.
For practitioners, this is the practical takeaway: stop treating secrets management as a vault migration project and treat it as part of workload access management. Reduce static credentials where you can, govern every vault you already run, and build toward a model where access is issued when needed, tied to identity, and disappears when the task is done.
Download the full Gartner report to explore the complete research and recommendations.
Request a demo to see how Akeyless helps you move toward secretless access and secure machine identities and AI agents at scale.
FAQs
What is Gartner’s recommendation for secrets management?
Gartner recommends reducing reliance on static credentials and expanding secrets management into a broader workload identity and access strategy. This includes evaluating managed workload identities, short-lived credentials, and other approaches that keep secrets away from workloads whenever possible.
What is workload access management?
Workload Access Management (WAM) is a security approach that authenticates applications, services, containers, and other non-human workloads before granting access to resources. Rather than relying on long-lived credentials, workload access management uses trusted identities and dynamically issued access.
Why does Gartner recommend avoiding static credentials?
According to Gartner, static credentials create persistent security and operational risk because they must be stored, distributed, rotated, and protected. If exposed, they can often be reused by attackers. Managed workload identities and short-lived credentials help reduce that risk.
What is secretless authentication?
Secretless authentication allows workloads to access systems and services without storing passwords, API keys, or other long-lived credentials. Instead, workloads authenticate using trusted identities such as cloud-native identities, Kubernetes identities, or federated identity providers, and receive access at runtime. Platforms like Akeyless support this model by issuing short-lived credentials based on workload identity rather than stored secrets.
Why does Gartner recommend managing secrets across multiple vaults?
Gartner recognizes that most enterprises already operate multiple secrets managers across different clouds, platforms, and teams. Rather than forcing consolidation into a single vault, Gartner recommends establishing centralized governance, visibility, policy enforcement, and lifecycle management across existing vaults.
What is multi-vault governance?
Multi-vault governance is the practice of managing security policies, access controls, auditing, rotation, and visibility across multiple secrets management systems. It helps organizations maintain consistent controls without requiring teams to migrate all secrets into a single vault. Akeyless provides multi-vault governance that enables centralized policy and visibility across AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, Kubernetes, and other environments.
